Brokers Need Thorough Plan to Deal With Potential Cyberattacks, Experts Say
A suspected June cyberattack on Livingston International highlighted the need for customs brokers to prepare for a potential breach, which could disrupt their operations and cut off communication with CBP and clients, industry experts said in interviews. They said brokers should formulate a detailed plan for how to respond, which may include hiring subcontractors, notifying customers and quickly reporting to federal agencies.
If a bad actor wants to break into a security system, they will find a way, Susan Kohn Ross of Mitchell Silberberg told International Trade Today. “It's very much a question of when not if,” Ross said. “If someone is determined, they're going to find a way to get in.”
That lesson was demonstrated most recently with Livingston, which experienced a shutdown of “select operating systems” on June 21 after it detected a "threat of unauthorized intrusion into” those systems, Livingston told International Trade Today. “We made this decision because the protection of our clients’ systems and data is of paramount importance to us,” Livingston said.
The broker said it "restored connectivity" with Canadian and U.S. customs on June 23 and "have since made significant progress in clearing the backlog of entries. We acknowledge this caused delays and was disruptive to our clients and carrier partners.”
The cyberattack on Livingston highlighted what other brokers may experience during a breach. Brokers should take the "very basic step" of having a cybersecurity plan and a physical copy of that plan, Ralph De La Rosa of Imperial Freight Brokers said in an interview. “The advice I give folks is, turn off your phone, turn off your computers and try to transact business... . Put yourself in the situation and try to figure out what tools you would need, how would you communicate with your clients, how would you communicate with Customs and really develop a plan to have in place to allow you to transact business in very difficult certain circumstances."
Customs brokers should also set aside a “designated set of entry numbers" they can access in a cyber incident, De La Rosa said. Brokers “should have a written plan on regarding who to contact, how to be able to add points of contact in different ports where they do the majority of their entries." Brokers also should have contact information at the ports where they have “a particular concentration of entries," De La Rosa said.
Brokers unable to file should think about who they can subcontract work to and “who you're going to hire to do that,” Ross said, adding that they also should make sure ahead of time their subcontracting situation is OK with CBP. “You have to have a conversation with Customs, and say, 'you know, if this happens, this is what we're going to need to do, and are you guys going to be OK with it,'” Ross said.
Ross also said brokers should "figure out which agencies you need to report" the incident to, usually TSA and CBP. "Then you have to figure out when do you report that," Ross said. She said reaching out to the FBI or Secret Service first might be the best step. “You do have to practice, you just can't” make up or "create procedure," Ross said.
De La Rosa also suggested brokers contact CBP once they experience a “cyber incident,” as they "are in a position to help you with what we call downtime procedures and basically walk you through some of the lessons learned that they've used with other brokers, which they can in turn use with you to help you through the situation." Brokers also should determine an alternate way of communicating with Customs, "whether it be through another system or through another broker in which you can have already established some sort of agreement for downtime,” De La Rosa said.
It's also important for brokers to determine whether they're required by a contract to contact clients and give them notice of a cyber breach, Ross said. "You need to be clear about what that notice is," Ross said. "Where this gets really dicey is as a lawyer. I don't want anybody to know what we figured out until we can figure out how we want to share that with the appropriate authorities."
Ross also stressed the importance of having a process in place for future emergencies. The National Institute of Standards and Technology said companies should have a "process" to continue to look for, identify and fix problems, Ross said. “You have a setup where you're looking for problems, you identify the problems, you fix the problems, and you go back to start,” Ross said.
Ross discussed the importance of having a response team to deal with cyber issues. “The purpose of this team is to say, 'if X happens, this is what we're going to do,'” Ross said. If a hacker, for example, targets a payment processor, Ross said, companies should ask themselves: "How do you work around that? How do you make sure, for example, that you can still process credit card payments?”
Another way brokers and others can practice is through a process called "white hatting," Ross said, where someone is given permission to "find weaknesses in your system." That way, "you know what your vulnerabilities are, and you can deal with them."
When determining whether to pay ransom, that depends on whether the broker is confident it can close the loop that led to the security breach. If the broker doesn't close the loop, “they're going to be back,” Ross said.
Asked about CBP’s approach to cybersecurity, De La Rosa said that he believes CBP understands cyber is “an ever-evolving threat," and the agency is “taking steps to better equip both themselves” and the trade as the events happen. “I don't want to say they need to do anything differently because they already understand that they need to further develop a plan, and they're proactively doing that,” De La Rosa said.